attack.stealth

.RDP File Created By Uncommon Application

Apr 28, 2026 · attack.stealth ·

Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.

Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.defense-impairment attack.t1685 attack.t1055.009 ·

Share on:

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:

Use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
Modification of the /proc/sys/kernel/randomize_va_space file
Execution of the sysctl command to set kernel.randomize_va_space=0 Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Potential SolidPDFCreator.DLL Sideloading

Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001 ·

Share on:

Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.t1134.002 attack.t1036.005 detection.emerging-threats ·

Share on:

Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)

Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments.

Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.

RedSun - Named Pipe Created

Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.defense-impairment attack.t1055 attack.t1685 detection.emerging-threats ·

Share on:

Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution.

RedSun - TieringEngineService.exe Detected as EICAR Test File

Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1036.005 attack.t1685 attack.privilege-escalation attack.t1055 detection.emerging-threats ·

Share on:

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool.

RedSun works as follows:

Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt
Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
During the oplock break window, RedSun swaps the mount point (junction) to redirect \?\C:\Windows\System32 to the attacker-controlled temp path
This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

Apr 28, 2026 · attack.stealth attack.t1036.005 detection.emerging-threats ·